A system and method in one embodiment includes modules for creating a soft whitelist having entries corresponding to each guest kernel page in a guest operating system in a hypervisor environment, generating a page fault when an access attempt is made to a guest kernel page, fixing the page fault to allow access and execution if the guest kernel page corresponds to one of the entries in the soft whitelist, and denying execution if the guest kernel page does not correspond to any of the entries in the soft whitelist. If the page fault is an instruction page fault, and the guest kernel page corresponds to one of the entries in the soft whitelist, the method includes marking the guest kernel page as read-only and executable. The soft whitelist includes a hash of machine page frame numbers corresponding to virtual addresses of each guest kernel page.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A method, comprising: creating a soft whitelist having an entry corresponding to a first guest kernel page in a guest operating system (OS) in a hypervisor environment comprising a hypervisor; generating a page fault when an access attempt is made to a second guest kernel page; fixing the page fault to allow an execution if the second guest kernel page corresponds to the entry in the soft whitelist; and denying the execution if the second guest kernel page does not correspond to the entry in the soft whitelist and the page fault is an instruction page fault.
2. The method of claim 1 , further comprising: if the page fault is a data page fault and the second guest kernel page does not correspond to the entry in the soft whitelist: fixing the page fault; and marking the second guest kernel page as non-executable.
3. The method of claim 1 , wherein the creating the soft whitelist comprises adding a machine page frame number (MFN) corresponding to a virtual address of the first guest kernel page into a hash.
4. The method of claim 3 , further comprising: determining if a MFN corresponding to a virtual address of the page fault is present in the hash.
5. The method of claim 1 , wherein the first guest kernel page corresponds to a page table entry (PTE) in a shadow page table of the hypervisor.
6. An apparatus, comprising: a memory; a processor; and a hypervisor, wherein the processor is configured to create a soft whitelist having an entry corresponding to a first guest kernel page in a guest operating system (OS) in a hypervisor environment comprising the hypervisor; generate a page fault when an access attempt is made to a second guest kernel page; fix the page fault to allow an execution if the second guest kernel page corresponds to the entry in the soft whitelist; and deny the execution if the second guest kernel page does not correspond to the entry in the soft whitelist and the page fault is an instruction page fault.
7. The apparatus of claim 6 , wherein the processor is further configured to mark the second guest kernel page as read-only and executable, if the page fault is the instruction page fault and the second guest kernel page corresponds to the entry in the soft whitelist.
8. The apparatus of claim 6 , wherein the processor is further configured to, if the page fault is a data page fault and the second guest kernel page does not correspond to the entry in the soft whitelist, both fix the page fault and mark the second guest kernel page as non-executable.
9. The apparatus of claim 6 , wherein the processor is further configured to add a machine page frame number (MFN) corresponding to a virtual address of the first guest kernel page into a hash.
10. The apparatus of claim 9 , wherein the processor is further configured to determine if a MFN corresponding to a virtual address of the page fault is present in the hash.
11. The apparatus of claim 6 , wherein the first guest kernel page corresponds to a page table entry (PTE) in a shadow page table of the hypervisor.
12. Logic, encoded in non-transitory media, that includes code for execution and comprising: instructions to create a soft whitelist having an entry corresponding to a first guest kernel page in a guest operating system (OS) in a hypervisor environment comprising a hypervisor; instructions to generate a page fault when an access attempt is made to a second guest kernel page; instructions to fix the page fault to allow an execution if the second guest kernel page corresponds to the entry in the soft whitelist; and instructions to deny the execution if the second guest kernel page does not correspond to the entry in the soft whitelist and the page fault is an instruction page fault.
13. The logic of claim 12 , further comprising: instructions to mark the second guest kernel page as read-only and executable if the page fault is the instruction page fault and the second guest kernel page corresponds to the entry in the soft whitelist.
14. The logic of claim 12 , further comprising: instructions to, if the page fault is a data page fault and the second guest kernel page does not correspond to the entry in the soft whitelist: fix the page fault; and mark the second guest kernel page as non-executable.
15. The logic of claim 12 , wherein the instructions to create the soft whitelist comprise instructions to add a machine page frame number (MFN) corresponding to a virtual address of the first guest kernel page into a hash.
16. The logic of claim 15 , further comprising: instructions to determine if a MFN corresponding to a virtual address of the page fault is present in the hash.
17. The logic of claim 12 , wherein the first guest kernel page corresponds to a page table entry (PTE) in a shadow page table of the hypervisor.
18. The logic of claim 12 , wherein the soft whitelist is created after the guest OS has loaded a process scheduler, a memory manager, and a file system at boot.
19. The logic of claim 12 , wherein the soft whitelist is created before the guest OS has loaded a process scheduler, a memory manager, and a file system, and the first guest kernel page is from a paged pool range or a non-paged pool range.
20. The logic of claim 12 , further comprising: instructions to set a lockdown feature bit in the hypervisor during domain creation to enable rootkit protection.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
February 24, 2015
October 11, 2016
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.